public class AuthSSLProtocolSocketFactory extends AuthSSLContextFactory implements org.apache.commons.net.SocketFactory, org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory
AuthSSLProtocolSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.
AuthSSLProtocolSocketFactory will enable server authentication when supplied with
a truststore file containg one or several trusted certificates.
The client secure socket will reject the connection during the SSL session handshake
if the target HTTPS server attempts to authenticate itself with a non-trusted
certificate.
Use JDK keytool utility to import a trusted certificate and generate a truststore file:
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
AuthSSLProtocolSocketFactory will enable client authentication when supplied with
a keystore file containg a private key/public certificate pair.
The client secure socket will use the private key to authenticate itself to the target
HTTPS server during the SSL session handshake if requested to do so by the server.
The target HTTPS server will in its turn verify the certificate presented by the client
in order to establish client's authenticity
Use the following sequence of actions to generate a keystore file
Use JDK keytool utility to generate a new key
keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystoreFor simplicity use the same password for the key as that of the keystore
Issue a certificate signing request (CSR)
keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.
Import the trusted CA root certificate
keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
Import the PKCS#7 file containg the complete certificate chain
keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
Verify the content the resultant keystore file
keytool -list -v -keystore my.keystore
Example of using custom protocol socket factory for a specific host:
Protocol authhttps = new Protocol("https",
new AuthSSLProtocolSocketFactory(
new URL("file:my.keystore"), "mypassword",
new URL("file:my.truststore"), "mypassword"), 443);
HttpClient client = new HttpClient();
client.getHostConfiguration().setHost("localhost", 443, authhttps);
// use relative url only
GetMethod httpget = new GetMethod("/");
client.executeMethod(httpget);
Example of using custom protocol socket factory per default instead of the standard one:
Protocol authhttps = new Protocol("https",
new AuthSSLProtocolSocketFactory(
new URL("file:my.keystore"), "mypassword",
new URL("file:my.truststore"), "mypassword"), 443);
Protocol.registerProtocol("https", authhttps);
HttpClient client = new HttpClient();
GetMethod httpget = new GetMethod("https://localhost/");
client.executeMethod(httpget);
| Modifier and Type | Field and Description |
|---|---|
protected boolean |
ignoreCertificateExpiredException |
protected boolean |
verifyHostname |
allowSelfSignedCertificates, keyManagerAlgorithm, keystorePassword, keystoreType, keystoreUrl, log, protocol, sslContext, trustManagerAlgorithm, truststorePassword, truststoreType, truststoreUrl| Constructor and Description |
|---|
AuthSSLProtocolSocketFactory(URL keystoreUrl,
String keystorePassword,
String keystoreType,
String keyManagerAlgorithm,
URL truststoreUrl,
String truststorePassword,
String truststoreType,
String trustManagerAlgorithm,
boolean allowSelfSignedCertificates,
boolean verifyHostname,
boolean ignoreCertificateExpiredException)
Constructor for AuthSSLProtocolSocketFactory.
|
| Modifier and Type | Method and Description |
|---|---|
protected static void |
addProvider(String name) |
ServerSocket |
createServerSocket(int port) |
ServerSocket |
createServerSocket(int port,
int backlog) |
ServerSocket |
createServerSocket(int port,
int backlog,
InetAddress bindAddr) |
Socket |
createSocket(InetAddress adress,
int port) |
Socket |
createSocket(InetAddress adress,
int port,
InetAddress localAdress,
int localPort) |
Socket |
createSocket(Socket socket,
String host,
int port,
boolean autoClose) |
Socket |
createSocket(String host,
int port) |
Socket |
createSocket(String host,
int port,
InetAddress clientHost,
int clientPort) |
Socket |
createSocket(String host,
int port,
InetAddress localAddress,
int localPort,
org.apache.commons.httpclient.params.HttpConnectionParams params)
Attempts to get a new socket connection to the given host within the given time limit.
|
static AuthSSLProtocolSocketFactory |
createSocketFactory(URL certificateUrl,
String certificateAuthAlias,
String certificatePassword,
String certificateType,
String keyManagerAlgorithm,
URL truststoreUrl,
String truststoreAuthAlias,
String truststorePassword,
String truststoreType,
String trustManagerAlgorithm,
boolean allowSelfSignedCertificates,
boolean verifyHostname,
boolean ignoreCertificateExpiredException) |
protected String |
getCN(String dn)
Parses a X.500 distinguished name for the value of the
"Common Name" field.
|
SSLContext |
getSSLContextLimitedExceptions() |
protected void |
verifyHostname(SSLSocket socket)
Describe
verifyHostname method here. |
createSSLContext, getProtocol, getSSLContext, setProtocolprotected boolean verifyHostname
protected boolean ignoreCertificateExpiredException
public AuthSSLProtocolSocketFactory(URL keystoreUrl, String keystorePassword, String keystoreType, String keyManagerAlgorithm, URL truststoreUrl, String truststorePassword, String truststoreType, String trustManagerAlgorithm, boolean allowSelfSignedCertificates, boolean verifyHostname, boolean ignoreCertificateExpiredException)
keystoreUrl - URL of the keystore file. May be null if HTTPS client
authentication is not to be used.keystorePassword - Password to unlock the keystore. IMPORTANT: this implementation
assumes that the same password is used to protect the key and the keystore itself.keystoreType - type of the keystore to use, e.q. PKCS12/JKSkeyManagerAlgorithm - KeyManagerFactory algorithm, if not specified it uses the default algorithmtruststoreUrl - URL of the truststore file. May be null if HTTPS server
authentication is not to be used.truststorePassword - Password to unlock the truststore.truststoreType - type of the truststore to use, e.q. PKCS12/JKStrustManagerAlgorithm - TrustManagerFactory algorithm, if not specified it uses the default algorithmallowSelfSignedCertificates - when true, self signed certificates are acceptedverifyHostname - The host name verification flag. If set to
true the SSL sessions server host name will be compared
to the host name returned in the server certificates "Common Name"
field of the "SubjectDN" entry. If these names do not match a
Exception is thrown to indicate this. Enabling host name verification
will help to prevent man-in-the-middle attacks. If set to
false host name verification is turned off.ignoreCertificateExpiredException - when true, the CertificateExpiredException is ignoredpublic static AuthSSLProtocolSocketFactory createSocketFactory(URL certificateUrl, String certificateAuthAlias, String certificatePassword, String certificateType, String keyManagerAlgorithm, URL truststoreUrl, String truststoreAuthAlias, String truststorePassword, String truststoreType, String trustManagerAlgorithm, boolean allowSelfSignedCertificates, boolean verifyHostname, boolean ignoreCertificateExpiredException) throws NoSuchAlgorithmException, KeyStoreException, GeneralSecurityException, IOException
protected static void addProvider(String name)
public SSLContext getSSLContextLimitedExceptions() throws IOException
IOExceptionpublic Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException
createSocket in interface org.apache.commons.httpclient.protocol.ProtocolSocketFactorycreateSocket in interface org.apache.commons.net.SocketFactoryIOExceptionUnknownHostExceptionSocketFactory.createSocket(InetAddress, int, InetAddress, int)public Socket createSocket(String host, int port) throws IOException, UnknownHostException
createSocket in interface org.apache.commons.httpclient.protocol.ProtocolSocketFactorycreateSocket in interface org.apache.commons.net.SocketFactoryIOExceptionUnknownHostExceptionSocketFactory.createSocket(String, int)public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException
createSocket in interface org.apache.commons.httpclient.protocol.SecureProtocolSocketFactoryIOExceptionUnknownHostExceptionSSLSocketFactory.createSocket(Socket, String, int, boolean)public Socket createSocket(InetAddress adress, int port) throws IOException
createSocket in interface org.apache.commons.net.SocketFactoryIOExceptionSocketFactory.createSocket(InetAddress, int)public Socket createSocket(InetAddress adress, int port, InetAddress localAdress, int localPort) throws IOException
createSocket in interface org.apache.commons.net.SocketFactoryIOExceptionSocketFactory.createSocket(InetAddress, int, InetAddress, int)public Socket createSocket(String host, int port, InetAddress localAddress, int localPort, org.apache.commons.httpclient.params.HttpConnectionParams params) throws IOException, UnknownHostException, org.apache.commons.httpclient.ConnectTimeoutException
This method employs several techniques to circumvent the limitations of older JREs that
do not support connect timeout. When running in JRE 1.4 or above reflection is used to
call Socket#connect(SocketAddress endpoint, int timeout) method. When executing in older
JREs a controller thread is executed. The controller thread attempts to create a new socket
within the given limit of time. If socket constructor does not return until the timeout
expires, the controller terminates and throws an ConnectTimeoutException
createSocket in interface org.apache.commons.httpclient.protocol.ProtocolSocketFactoryhost - the host name/IPport - the port on the hostlocalAddress - the local host name/IP to bind the socket tolocalPort - the port on the local machineparams - Http connection parametersIOException - if an I/O error occurs while creating the socketUnknownHostException - if the IP address of the host cannot be
determined
Copied from HttpClient 3.0.1 SSLProtocolSocketFactoryorg.apache.commons.httpclient.ConnectTimeoutExceptionpublic ServerSocket createServerSocket(int port) throws IOException
createServerSocket in interface org.apache.commons.net.SocketFactoryIOExceptionpublic ServerSocket createServerSocket(int port, int backlog) throws IOException
createServerSocket in interface org.apache.commons.net.SocketFactoryIOExceptionpublic ServerSocket createServerSocket(int port, int backlog, InetAddress bindAddr) throws IOException
createServerSocket in interface org.apache.commons.net.SocketFactoryIOExceptionprotected void verifyHostname(SSLSocket socket) throws SSLPeerUnverifiedException, UnknownHostException
verifyHostname method here.socket - a SSLSocket valueSSLPeerUnverifiedException - If there are problems obtaining
the server certificates from the SSL session, or the server host name
does not match with the "Common Name" in the server certificates
SubjectDN.UnknownHostException - If we are not able to resolve
the SSL sessions returned server host name.protected String getCN(String dn)
RFC 2253.dn - a X.500 distinguished name.Copyright © 2021 Ibissource.org. All rights reserved.